Rancher Release v2.3.2

Release v2.3.2


  • Please be review the v2.3.0 release notes for important updates/ breaking changes.

  • Recent changes to cert-manager require an upgrade if you have an HA install of Rancher using self-signed certificates. If you are using cert-manager older than v0.9.1, please see the documentation on how to upgrade cert-manager.

  • If you launch a single node Rancher install with the LetsEncrypt option, you must upgrade to this Rancher version to be able to get and renew certificates from LetsEncrypt. LetsEncrypt is rolling out the deprecation of their v1 API endpoints and the deprecation will be permanent starting Nov 1.

  • If you are using the canal network plug-in in a Rancher Launched Kubernetes cluster, upgrading your Kubernetes version or editing the cluster will cause the canal pods to be recreated.

The following versions are now latest and stable:

Type Rancher Version Docker Tag Helm Repo Helm Chart Version
Latest v2.3.2 rancher/rancher:latest server-charts/latest v2.3.2
Stable v2.3.2 rancher/rancher:stable server-charts/stable v2.3.2

Please review our version documentation for more details on versioning and tagging conventions.

Features and Enhancements

  • Kubernetes 1.16 is GA - Kubernetes 1.16 is now available as GA, but due to the deprecation of different APIs in the Kubernetes 1.16 release, Kubernetes 1.16 is not the default version. Please review any apps deployed from the Rancher library catalog to upgrade to the latest version to prepare for the upcoming release.

  • UI for Istio Gateway, Virtual Services and Destination Rules [#20892, #23582] - We’ve added the ability to add the Istio gateway through the UI as well as made the UI for Istio a GA feature. By default the feature flag of the Istio UI is now enabled by default.

Experimental Features

We have introduced the ability to turn on and off experimental components inside Rancher. Please refer to our docs on how to turn on the features.

Major Bugs Fixed Since v2.3.1

  • Fixed an issue where HA upgrades were failing when when using TLS termination due to a bug where cacerts were generated incorrectly in older versions [#23441]
  • Fixed an issue where monitoring wasn’t able to start when following the hardening guide [#20884]
  • Fixed an issue where projects with malformed certs were no longer able to be loaded in the UI [#23285]
  • Fixed an issue where canal was failing for the readiness probe for Kubernetes 1.15 and 1.16 [#23430]
  • Fixed an issue wher the rancher/cli2:v2.3.0 image wasn’t working [#23433]

Other notes

Air Gap Installations and Upgrades

In v2.3.0, an air gap install no longer requires mirroring the systems chart git repo. Please follow the directions on how to install Rancher to use the packaged systems chart.

Known Major Issues

  • RHEL 7.7 with selinux enabled and k8s 1.16 with RHEL Docker 1.13 is not working [#23662]
  • Logging - Json parsing of log data in the plug-in changed within Rancher’s packaging of fluentd [#23646]
  • NGINX ingress controller 0.25.0 doesn’t work on CPUs without SSE4.2 instruction set support [#23307]
  • Windows Limitations - There are a couple of known limitations with Windows due to upstream issues:
    • Windows pods cannot access the Kubernetes API when using VXLAN (Overlay) backend for the flannel network provider. The workaround is to use the Host Gateway (L2bridge) backend for the flannel network provider. [#20968]
    • Logging only works on Host Gateway (L2bridge) backend for the flannel network provider [#20510]
  • Istio Limitation - Istio will not work with a restricted pod security policy [#22469]
  • HPA Limitation - HPA UI doesn’t work on GKE clusters as GKE doesn’t support the v2beta2.autoscaling API [#22292]
  • Hardening Guide Limitations - If you have used Rancher’s hardening guide, there are some known issues
    • kubectl in UI doesn’t work [#19439]
    • Pipelines don’t work [#22844]
  • Adding taints to existing node templates from an upgraded setup will not be applied unless a reconcile is triggered on the cluster. When scaling up/down worker nodes, no reconcile is triggered, but scaling up/down either control plane/etcd nodes or editing a cluster (like upgrading to the latest Kubernetes version) would update to support taints on the nodes. [#22672]
  • Cluster alerting and logging can get stuck in Updating state after upgrading Rancher. Workaround steps are provided in the issue [21480]
  • If you have Rancher cluster with OpenStack cloud provider having LoadBalancer set, and the cluster was provisioned on version 2.2.3 or less, the upgrade to the Rancher version v2.2.4 and up will fail. Steps to mitigate can be found in the comment to [20699]



  • rancher/rancher:v2.3.2
  • rancher/rancher-agent:v2.3.2



Upgrades and Rollbacks

Rancher supports both upgrade and rollback. Please note the version you would like to upgrade or rollback to change the Rancher version.

Please be aware that upon an upgrade to v2.3.0+, any edits to a Rancher launched Kubernetes cluster will cause all system components to restart due to added tolerations to Kubernetes system components. Plan accordingly.

Recent changes to cert-manager require an upgrade if you have an HA install of Rancher using self-signed certificates. If you are using cert-manager older than v0.9.1, please see the documentation on how to upgrade cert-manager.

Important: When rolling back, we are expecting you to rollback to the state at the time of your upgrade. Any changes post upgrade would not be reflected.